Appendix J: Communications Plan - Template

Health Care and Public Health Sector Cybersecurity Framework Implementation Guide

Purpose

This appendix is provided to help health care organizations develop an effective and efficient communications plan and intent is to ensure proper facilitation amongst multiple stakeholders, e.g., the board of directors, executive leadership, business units, and technical staff.

Scope

This Communications Plan provides communications strategies, core messages, and performance measures organizations can use for their cybersecurity awareness, implementation, and continual service improvement.

Objectives

There are six objectives for a health care organization’s communications around information security.

Ensure accurate, cohesive, and frequent messages are delivered in plain language to audience segments.
Develop awareness of cybersecurity efforts and encourage active participation and show the benefits (corporate, organizational, and employee) – and demonstrate the value of cybersecurity.
Identify the tools available to communicate to all audiences, develop a schedule for communications, and define specific guidelines for submitting content.
Provide management information necessary to support effective communications.
Ensure that resources provide effective information on training, current progress of the Initiative, and best practices to promote improved quality service management.
Provide feedback on the level of customer satisfaction, suggested corrective and preventive actions, lessons learned, security incidents response, and specific ideas for improving the quality of service.

Roles and Responsibilities

Table 13 provides the responsibilities for two principal roles in communications.

**Table 13. Roles and Responsibilities**
Role	Responsibilities
Chief Information Officer (CIO)	Serves as the Information Security champion Updates the Executive Leadership Team and Board of Directors, as needed Demonstrates a commitment to and strong support for Information Security initiatives Acts as an advocate for standardized policies, processes, and procedures Resolves and escalates Information Security issues as appropriate Approves and manages Information Security program resources
Chief Information Security Officer (CISO)	Manages the Information Security Program Leads information security initiatives Establishes standards, templates, workflows, processes, policies, and procedures Validates compliance with regulatory and legal requirements for information security Develops the communications plan for information security initiatives Determines appropriate internal and external communications and helps facilitate those communications Communicates the availability of artifacts, training, and guidelines required for secure quality service delivery Makes sure all communications are accurate and timely, and delivers messages in plain language to targeted audiences using appropriate media

Audience

To effectively communicate the Information Security Program and its initiatives, it is important to tailor the messages to the appropriate audiences (all involved parties), which includes the Leadership Team, vendors, suppliers, and customers.

The information required by these audiences will vary in focus and level of detail. The Security Officer must consider each audience's unique interests and perspectives on issues when developing communications.

There are four phases to achieving effective communications dealing with the rollout and acceptance of information security initiatives.

Develop interest and awareness
Educate audiences on the value of having a security framework.
Create a desire to adopt quality service management methodologies, processes, and frameworks and actively participate in the security activities
Institutionalize the need for standardized policies, processes, procedures, and measures to improve service delivery and customer satisfaction

Communication Phases of Implementation

For communication to be effective, it must satisfy the specific needs of all involved parties and the target audience(s) in particular. As individual or group needs vary over time, so must the communications. The 'Initiative Phases' outlined above represent stages when fundamental changes in perception occur for some or all stakeholder groups. 'Communication Phases' directly relate to these Initiative Phases.

Table 14 summarizes the areas of concern or interest during each of the Communications Phases, and lists the communication goals for each phase.

**Table 14. Phased Communication Goals**
Phase	Anticipated Areas of Concern or Interest	Communication Goals
1. Planning and Preparation	Unclear about the implications of the security Initiatives Unaware of the standards and their benefits Confused as to role in effort and level of change Concern regarding impact to the organization and initiatives (cost, schedule, and time) Concern about how changes will impact their work and ability to successfully carry out their assigned tasks Uncertain about the anticipated changes in business policies, processes, and procedures	Introduce security standards Set expectations for what is to come Seek and act on feedback from target audiences Develop communication vehicles Communicate management commitment Communicate vision for the future Define parameters of change and initiative scope Articulate timeline and activities State compelling reasons for initiative Enlist support and participation Identify and empower champions Share Initiative progress
2. Implementation	Realization of the impact of security activities on resources and timelines Staff concern over personal impact Uncertain of new skill requirements Rising negativity due to changes and work required to meet Initiative objectives Need for details about ISMS and what it means for their domain Concern over impacts of security on operations Availability and effectiveness of training	Share initiative progress Set the expectation for work ahead Provide guidance and assistance for all initiative activities Seek and act on feedback from target audiences Motivate towards the end goal Reinforce benefits including access to additional business and personal opportunities Outline phased approach and progress milestones Recognize champions Celebrate the current successes Provide more detail on what change will mean to the different target audiences Provide updates on constraints and accomplishments Emphasize available training and support
3. Validation	Impatient about the outcome Apprehensive because things are not perfect the first time Learning new skills Recognition of personal benefits Business benefits understood Fear of business and personal impact Apprehensive regarding customer acceptance of changes Anxiety over internal and external assessment and assessment requirements Relief when “it works” as perceived following initial assessments	Share Initiative progress Set realistic expectations for change Focus on successes Continue to communicate timeline Assess preparedness Provide training on the tools and methodologies that will be used Familiarize target audiences with assessment process and expectations Reinforce training and support availability Share lessons learned Seek and act on feedback from target audiences Celebrate milestones
4. Continual Service Improvement	Apprehensive over continuous assessment of work and work products Impatience regarding continual service improvement activities	Communicate individual contribution to the quality service management Communicate successes including increased business opportunities and customer satisfaction Seek and act on feedback from target audiences Solicit input regarding service improvement and lessons learned Share lessons learned Re-emphasize benefits, training, and access to guidance and assistance to facilitate service improvement and “maintaining the gain”

Core Messages and Vehicles

The core message concepts are reinforced with targeted audiences through selected communication activities and vehicles. Core messages are tailored to the audience's role in a successful implementation of security and support ongoing change management objectives. Core messages will be planned for the following targeted audiences:

Leadership Team
Customers/Contractors and Suppliers

It is important to communicate core messages through multiple vehicles (tactics) and channels. Vehicles are selected based upon:

Availability of vehicle
How effective the vehicle is at reaching audiences?
The appeal it has to a variety of learning styles
Individual audience preference

A variety of written and visual communication vehicles, such as newsletters and announcements, e-mails, surveys, and bulletins, plus more personal, two-way vehicles, such as meetings and briefings to various groups, should be included. A mechanism allowing the audience to ask questions and receive feedback is critical for the security Initiatives.

The following are important guidelines for communications:

Consistent messaging is always important, especially with a new initiative
Communications must be ongoing once a new initiative begins
Recognize that all audiences do not require the same level of detail when receiving the same information

Core Messages for All Audiences

Communicate to all audiences, the following core messages:

Demonstrate organization’s commitment to security using a Charter
Develop interest and awareness in security and the framework selected to achieve it.
Educate audiences on the value of security; describe the benefits to the organization and the individual
Create a desire to adopt secure quality service management methodologies, processes, and frameworks, and actively participate in the security Initiative
Institutionalize the need for standardized policies, processes, procedures, and measures to improve service delivery and customer satisfaction
Explain what to do if questions arise regarding security framework, its implementation, rollout, and continual service improvement

Core Messages for Leadership Team

The core messages for these audiences focus on team communication and communications with other organizations and individuals involved or interested in security:

Notify audiences of activities, schedule, progress, successes, artifacts, and events
Keep team members up to date on all team activities or activities in related programs or initiatives
Share new ideas, articles, and materials related to quality service management and information security
Review and communicate lessons learned
Record and review feedback from customers and all involved in or interested in security initiatives
Emphasize the importance of information security initiatives, training, and awareness
Detail methods for creating a desire to adopt secure quality service management methodologies, processes and frameworks, and actively participate in the security Initiatives
Reinforce the need to institutionalize standardized policies, processes, procedures, and measures/metrics to improve service delivery and customer satisfaction
Stress the significance of open communication and matching the communication to the appropriate audience and vehicle

Core Messages for Vendors, Suppliers, and Customers

Communicate to vendors, suppliers, and customers the following core messages:

Announce the results of any information security assessments when applicable
Describe customer benefits and the value of information security by outlining the service improvement and customer focused aspects of relevant information security standards
Offer options for finding more information about information security and the Information Security Program

Vehicle Selection

A wide range of communications methods or vehicles are available to get information to those who need it, as shown in Table 15. While every vehicle can convey information, some vehicles have greater strengths than others depending on the type of information used.

**Table 15. Vehicle Selection**
Type of Communication	Possible Vehicle
Internal or external	Corporate communications
Sensitive or restricted material	Email, meeting, one-on-one, paper
Urgent, time critical	Email, meeting, one-on-one
Must reach recipient, a large, targeted audience, and/or be easily understood	Email, paper
Requires dialogue; complex or easily misunderstood	Meeting, conference call, one-on-one
Requires feedback or reply	Email, meeting, teleconference, survey
Large amount of content	SharePoint, Skype Meeting
Includes special formats	SharePoint, video teleconference, conference call
Large unspecified audience; brief message	SharePoint, survey, email
Team centered	Conference Calls, email, meeting, teleconference, video conference, one-on-one, paper

Table 16 summarizes the communication tactics that can be used to deliver core messages to targeted audiences, and include the purpose/content of the communications, the intended audience, the timing and frequency of communications, the intended strategy, and responsible party.

Calendar of Events

The tactics listed in this Communication Plan are recommended for all Communications Phases from Planning and Preparation through Continual Service Improvement. This plan is intended to guide the communication effort through the introduction, acceptance, and continual service improvement. It is recommended that a calendar is developed with planned initiatives identified. This will ensure information regarding events will be reviewed and updated periodically.

<< Back Next >>